ENISA advises on smartphone app security

In the wake of several high-profile exploits of smartphone operating system through insecure apps, the European Network and Information Security Agency (ENISA) has identified five recommendations for running a more secure app store.

Recent exploits have seen the DroidDream trojan compromise around 50,000 mobile devices via infected apps in the Android app store.

App review: Appstores should review apps before admitting them to the app store. While app review cannot be perfect, it limits the possibilities for app developers to introduce malicious, or legitimate but insecure apps in app stores.

Reputation mechanism: Reputation of apps and app developers can help users avoid malware. A point of concern is that most users rate apps for their functionality and not for their security, so there should be a separate channel for security and privacy issues (e.g. "this app works, but asks for excessive privileges at install").

App revocation (or kill-switch): Smartphone platforms should support remote removal of installed apps by app stores. App stores should have an app revocation mechanism for malware and insecure apps.

Device security: App store defences rely on the security of the devices running the apps. The device should install and run apps in sandboxes, to reduce the impact of malware. In the sandbox, apps should get only a minimal set of privileges (the principle of least privilege). The sandbox should monitor the app inside it and allow the user to see the app's past activity.

Jails (or walled gardens): Smartphone platform vendors can restrict smartphones to apps from one or more designated app stores only and in this way prevent drive-by download attacks. This is commonly referred to as a jail or a walled garden. The smartphone should either be blocked from using untrusted app stores or, for expert users, present clear warnings about installing from untrusted sources.

While ENISA recognised the benefits of hosting apps within a small number of stores where they can be vetted, it highlighted the increasing vulnerability of smartphones as they are increasingly used to process and store critical information.

"Cyber attackers are focusing more on smartphones. They will try to sell malicious apps directly or go after software vulnerabilities in popular apps. The stakes are high: consumers, government and business professionals use smartphones to store and process large amounts of confidential and personal data."

Dr Marnix Dekker and Dr Giles Hogben, co-authors of the report said:

"Using malicious apps, attackers can easily tap into the vast amount of private data processed on smartphones such as confidential business emails, location data, phone calls, SMS messages and so on. Consumers are hardly aware of this."

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop.
Will your business be upgrading?

Popular Threads

There is a lot of attention being paid to how business leaders can use the mobile computing preferences of employees and customers to be more responsive, efficient and successful. This white paper runs through five security considerations for the mobile age.